Click on the icon below to visit our on-line store.

To order by phone please call us.

The HIPAA Security Rule Manual

TABLE OF CONTENTS

 Preface

Chapter 1:  Understanding the Security Rule

Introduction

Administrative Simplification and the Security Rule

The Privacy Rule and the Security Rule

What is electronic protected health information?

What the Security Rule is based on

Understanding the threes

            The three basic principles

            The three security objectives

            The three categories of safeguards

How the Security Rule is organized

            Standards and Implementation Specifications

Template:  Decision Documentation Tool

How to Use this Manual

Summary

Chapter 2: Getting Started

Introduction

Assigned Security Responsibility

   Tool:  Sample Security Official Job Description

Tool:  Sample Documentation of Assigned Security Responsibility Form

Policies and Procedures

Documentation Requirements

           Tool:  Documentation of Security Rule Compliance

Business Associate Contracts and Other Arrangements

    Template:  Sample Business Associate Agreement Addendum

  Template:  Model Letter Notifying Existing Business Associates of  Automatic Amendment to Business Associate Addendum

Tool:  Sample Business Associate Policy and Procedure

Summary

Chapter 3:   Introduction to Risk Analysis and Risk Management

Introduction

What is risk analysis and risk management?

How to analyze and manage risk

Step 1 – Getting started

Step 2 – Describing the security environment

            Template:  Describing the security environment

Step 3 – Identifying potential threats to the confidentiality, integrity and availability of ePHI

Step 4 – Assessing the vulnerability of ePHI

           Template:  Risk Analysis Worksheet

Step 5 – Using the results of the risk analysis to manage risk and comply with the Security Rule

          Template:  Risk Management Worksheet

Summary

                   Template:  Sample Risk Analysis/ Risk Management Report Outline

Chapter 4:  The Administrative Safeguards 

Introduction

The Security Management Process

Risk Analysis

Risk Management

Sanction Policy

Information System Activity Review

Workforce Security

Authorization and/or supervision

Workforce clearance procedure

Termination procedures

Information Access Management

          Access authorization

          Access establishment and modification

Security Awareness and Training

          Security reminders

          Protection from malicious software

          Log-in monitoring

          Password management

Security Incident Procedures

             Response and reporting

Contingency Plan

           Applications and data criticality analysis

           Data backup plan               

           Disaster recovery plan              

            Emergency mode operation plan    

            Testing and revision procedures

Evaluation

Summary       

Tool:  General To Do List:  The Administrative Safeguards

Compliance Resources:  The Administrative Safeguards

     The Security Management Process

Tool:  Risk Analysis Worksheet:  Security Management Process

Tool:  Risk Management Worksheet:  Security Management Process

Tool:  Sample Risk Analysis Policy and Procedure

Tool:  Sample Risk Management Policy and Procedure

Tool:  Sample Sanction Policy and Procedure

Tool:  Sample Information System Activity Review Policy and Procedure

   Workforce Security

Tool:  Risk Analysis Worksheet:  Workforce Security

Tool:  Risk Management Worksheet:  Workforce Security

Form:  Termination of Access Checklist

Tool:  Sample Workforce Security Policy and Procedure

Tool:  Decision Documentation: Authorization and/or Supervision

          Tool:  Decision Documentation: Workforce Clearance Procedure

Tool:  Decision Documentation:  Termination Procedures

     Information Access Management

Tool:  Risk Analysis Worksheet:  Information Access Management

Tool:  Risk Management Worksheet:  Information Access Management

Tool:  Sample Information Access Management Policy and Procedure

Tool:  Decision Documentation: Access Authorization

Tool:  Decision Documentation: Access Establishment and Modification

     Security Awareness and Training

Tool:  Risk Analysis Worksheet: Security Awareness and Training

Tool:  Risk Management Worksheet: Security Awareness and Training

Tool:  Sample Security Awareness and Training Policy and Procedure

Tool:  Sample Protection from Malicious Software Policy and Procedure

Tool:  Sample Log-in Monitoring Policy and Procedure

Tool:  Sample Password Management Policy and Procedure

Tool:  Decision Documentation:  Security Reminders

Tool:  Decision Documentation:  Protection from Malicious Software

Tool:  Decision Documentation:  Log-in Monitoring

Tool:  Decision Documentation:  Password Management

     Security Incident Procedures

Tool:  Risk Analysis Worksheet:  Security Incident Procedures

Tool:  Risk Management Worksheet: Security Incident Procedures

Tool:  Sample Security Incident Policy and Procedure

Tool:  Security Incident Report Form

Tool:  Security Incident Log

    Contingency Plan

Tool:  Risk Analysis Worksheet:  Contingency Plan

Tool:  Risk Management Worksheet: Contingency Plan

Tool:  Contingency Plan Template

Tool:  Decision Documentation:  Testing and Revision Procedures 

Tool:  Decision Documentation:  Applications and Data Criticality Analysis

     Evaluation

            Tool:  Risk Analysis Worksheet:  Evaluation

    Tool: Risk Management Worksheet: Evaluation

Tool:  Sample Evaluation Policy and Procedure

Chapter 5:  The Physical Safeguards

 Introduction

Facility Access Controls       

          Contingency operations                         

Facility security plan              

          Access control and validation procedures             

          Maintenance records                                            

Workstation Use and Workstation Security

Device and Media Controls  

            Disposal and Media re-use

            Accountability     

            Data backup and storage                   

Summary

               Tool:  General To Do List:  The Physical Safeguards

Compliance Resources:  The Physical Safeguards

     Facility Access Controls

Tool:  Risk Analysis Worksheet:  Facility Access Controls 

Tool:  Risk Management Worksheet:  Facility Access Controls

Tool:  Sample Facility Access Controls Policy and Procedure

Tool:  Decision Documentation:  Contingency Operations

Tool:  Decision Documentation:  Facility Security Plan

Tool:  Decision Documentation:  Access Control and Validation Procedures

Tool:  Decision Documentation:  Maintenance Records      

     Work Station Use and Workstation Security

Tool:  Risk Analysis Worksheet:  Workstation Use and Workstation Security

Tool:  Risk Management Worksheet:  Workstation Use and Workstation Security

Tool:  Sample Workstation Use Policy and Procedure Use and Workstation Security

     Device and Media Controls

  Tool:  Risk Analysis Worksheet:  Device and Media Controls

Tool:  Risk Management Worksheet:  Device and Media Controls

Tool:  Decision Documentation:  Accountability

Tool:  Decision Documentation:  Data backup and storage

Tool:  Sample Device and Media Controls Policy and Procedure

Chapter 6:  The Technical Safeguards

Introduction

Access Control    

               Unique user identification                      

               Emergency access procedure  

               Automatic logoff     

               Encryption and decryption                    

Audit Controls

Integrity               

               Mechanism to authenticate electronic protected health information  

Person or Entity Authentication

Transmission Security                       

   Integrity controls    

   Encryption

Summary

Tool:  General To Do List:  The Technical Safeguards  

Compliance Resources:  The Technical Safeguards

     Access Control

Tool:  Risk Analysis Worksheet:  Access Control

Tool:  Risk Management Worksheet:  Access Control  

Tool:  Sample Technical Access Control Policy and Procedure

Tool:  Decision Documentation:  Automatic Logoff       

Tool:  Decision Documentation:  Encryption and Decryption

     Audit Controls

Tool:  Risk Analysis Worksheet:  Audit Controls

Tool: Risk Management Worksheet:  Audit Controls

     Integrity

Tool:  Risk Analysis Worksheet:  Integrity

Tool: Risk Management Worksheet:  Integrity

Tool:  Decision Documentation:  Mechanism to authenticate ePHI

Tool:  Sample Integrity of Electronic Protected Health Information Policy and Procedure

     Person or Entity Authentication

Tool:  Risk Analysis Worksheet:  Person or Entity Authentication

Tool: Risk Management Worksheet:  Person or Entity Authentication

Tool: Sample Person or Entity Authentication Policy and Procedure

     Transmission Security

Tool:  Risk Analysis Worksheet:  Transmission Security

Tool:  Risk Management Worksheet:  Transmission Security                          

Tool:  Sample Transmission Security Policy and Procedure

Tool:  Decision Documentation: Integrity Controls

Tool:  Decision Documentation:  Encryption

Chapter 7:  Conclusion

Tool:  Master NOT To Do List:  The HIPAA Security Rule

Tool:  Master To Do List:  The HIPAA Security Rule

Glossary

Appendix A   - Additional Resources

Appendix B – The Final Security Rule

Appendix C – The Proposed Security Rule

List of Tables

 Table 1:  Similarities between the Privacy Rule and the Security Rule

Table 2:  Differences between the Privacy Rule and the Security Rule

Table 3:  Standards and implementation specifications of the Security Rule

Table 4:  Documentation of Security Rule compliance

Table 5:  Business associate requirements similarities and differences

Table 6:  Common threats to ePHI

Table 7:  Methods for Providing Periodic Security Reminders

Table 8:  Possible Security Incidents

Table 9:  Guidelines for Acceptable Use and Security of Workstations